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Einstein-Podolsky-Rosen- (EPR) and the more powerful Mayers-Lo-Chau attack impose a seri- 
ous constraint on quantum bit commitment (QBC). As a way to circumvent them, it is proposed 
that the quantum system encoding the commitment chosen by the committer (Alice) should be ini- 
tially prepared in a seperable quantum state known to and furnished by the acceptor (Bob), rather 
than Alice. Classical communication is used to conclude the commitment phase and bind Alice's 
" |". subsequent unveiling. Such a class of secure protocols can be built upon currently proposed QBC 

^ ■ schemes impervious to a simple EPR attack. A specific scheme based on the Brassard-Crépeau- 

' Josza-Langlois protocol is presented here as an example. 

\ I. INTRODUCTION 

Q: 

^ . Quantum cryptography is concerned with harnessing the principies of quantum mechanics to create secure cryp- 
| tosystems Jï],^]. It can broadly be divided into quantum key distribution (QKD) [|]||], which is concerned with secure 
sharing of cryptographic keys, and a host of other schemes, such as quantum coin tossing [^-^), quantum oblivious 
\ mutual identification 0, quantum oblivious transfer Q and "two party secure computation" (TPSC) essentially 
concerned with secure processing of private information to reach a públic decision. The latter schemes depend on the 
validity of quantum bit commitment (QBC) j^J^j, a quantum cryptographic primitive for secure information process- 
ing. In a concrete realization of bit commitment, Alice writes or 1 on a note, puts it in a safe, which she hands 
çS) ' over to Bob. Upon Bob choosing to enter the transaction, she gives him the key to the safe. The main point is that 
t-H , Alice cannot cheat by changing her mind after handing Bob the safe, nor can Bob cheat by finding out about Alice's 
decision unless she gives him the key. A secure bit commitment is one which is (at least, exponentially) binding on 
Alice and unconditionally concealing (of her commitment) from Bob and thus prevents either party from cheating. 
*fi ' That entanglement can undermine QBC was first realized by Bennett and Brassard [0L who pointed out that the 
Oh! BB84 scheme M was insecure against an Einstein-Podolsky-Rosen (EPR) attack by Alice jï(|, i.e., a deception where 
she sends Bob part of entangled photons instead of ones in a defmite polarization state, and waits until after the initial 
phase of the protocol to measure the part she retains. A subsequent proposition, namely the BCJL protocol [B,f|, 
though impervious to an EPR attack, is nevertheless rendered insecure by an entanglement-based attack independently 
CT uncovered by Lo and Chau [|ll|jl2| and Mayers |Ï3|] . The essence of their proof is that if the protocol is secure against 
Bob, Alice can cheat by supplying him a pure state entangled system, and switching her commitment by local unitary 
•<— i , operations. It has come to be accepted that QBC simultaneously secure against both Alice and Bob is impossible, 
' though a trade-off is permitted |ÏJ] . 

Almost all QBC schemes we know conform to a model wherein the quantum system encoding the committer's 
(Alice's) commitment b is prepared by her. She is the sender. The party that accepts her commitment, the "acceptor" 
called Bob, is the receiver of the quantum information. The present article explores whether QBC can be made secure 
if Bob, rather than Alice, prepares and sends the initial state of the encoding quantum system, and Alice is the receiver 
who "inscribes" her commitment on the state furnished by Bob. The motiviation to do so is quite straightforward, 
given that the insecurity of QBC so far stems from Alice preparing the initial state as she likes. 



fi 



II. THE MODIFIED BCJL SCHEME 



In a typical QBC scheme, Alice prepares a quantum state consisting of a pre-agreed number n of photons in a pure 
product state determined by her commitment b (s {0, 1}). Four possible preparations of a photon are permitted: in 
the rectilinear basis (denoted +), with horizontal (denoted 0) or vertical (denoted 1) polarization; else, in the diagonal 
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basis (denoted x) with polarization oriented at 45° (denoted 0) or 135° (denoted 1). She sends these photons to Bob 
as a piece of evidence of her commitment. If Bob signals his acceptance to enter the transaction, she unveils b and 
the preparation information of her photons, which Bob then verifies by measuring their polarizations. In order that 
Bob should not cheat, the density matrices of the system given to Bob corresponding to 6 = 0, 1 - namely Po,pf- 
should be (almost) indistinguishable. On the other hand, the preparation of the photons she sends Bob should be 
binding on her. As noted earlier, if a Mayers-Lo-Chau (MLC) attack can be launched, then these two requirements 
are mutually exclusive 0-|ï^] ■ 

A simple way to circumvent an EPR or MLC attack is to prevent Alice from launching one. The main point of the 
present article is that Bob can achieve this by preparing a seperable n-particle quantum state and sending it to Alice 
to inscribe her commitment. We need to show that any subsequent action by Alice will not permit her to launch an 
attack. Then, a classical communication from Alice is sufficient to guard against her cheating. The hallmarks of the 
class of protocols we envisage are (1) a reverse quantum communication, wherein Alice and Bob have exchanged their 
traditional sender-receiver roles, and (2) a classical communication from Alice to signal the end of the commitment 
phase. 

We present a version of the BCJL protocol modified to include these two features. The proof of its security is given 
thereafter. The modified BCJL scheme consists of two phases, the commitment phase and unveiling phasc, cnumcratcd 
below. An intervening phase of arbitrary duration, refcrrcd to as the holding phase, is implicit but ignored in the 
analysis. Since we only wish to present a proof of principle, discussion on error correction is not included here. 

1. Commitment phase: 

(a) Alice and Bob agree upon an n-bit code C (with some required propcrtics). 

(b) They also agree upon a random n-bit string r £ {0, 1}™. 

(c) Bob chooses a random n-bit string Rb £ C. 

(d) He chooses a random n-bit string r) £ {+, x }" and prepares the state \Rb) v = |-Rs(l)) ï ;(i) < 8)' ' "® l-Rs( n ))?j(n) 
and sends it to Alice. 

(e) She chooses a random n bit string 9 £ {+, x}™ and measures Bob's photons in bases 9, obtaining outcomes 
^£{0,1}" 

(f) To encode her commitment b, Alice checks whether {Ra £ C \ r Ra = b}, where the symbol denotes 
scalar product modulo 2, or the parity of the bitwise AND opcration. If the check succeeds (fails), she 
excludes a photon at a randomly chosen position x where she obtained outcome (1), to obtain R' A such 
that {R' A £ C | rÇ)R' A = b}. 

(g) She communicates to Bob the value of x. This announcement serves as a piece of evidence of her commit- 
ment. 

2. Unveiling phase: 

(a) Alice announces b, Rb and 9. 

(b) Bob verifies that: r R' B = b. 

(c) He also verifies that whenever n(i) — 6(i), Ra("Í) = Rb(í)- 

Even though Bob prepares and thus knows the state \Rb)ti he sent Alice, without access to her outcomes where 
r](i) ^ 9(i)-, he cannot deduce b. In fact, he doesn't even know where n and 9 don't match. Further, Alice need not fear 
that by sending in an entangled state rather than a seperable state Bob can hope to get information about her 

measurement outcomes. The very nature of quantum measurement (assumed to be a von Neumann projection or, more 
generally, a positive operator valued measure) prohibits Bob from knowing anything about her action, because Bob's 
local density matrix is unaffected by Alice's measurement. Therefore, even empowered with a quantum computer, 
Bob cannot hope to deduce her outcomes by observations local to him. One way to view this is that if this were not 
the case, then Alice could transmit superluminal signals to Bob according to her choicc of 9 p5| . Another deterrent 
for Bob, as shown below, is that Alice could launch an MLC attack against him if the system remains entangled with 
a hidden system on his side at the time of her measurement. Therefore the modified protocol is indeed secure against 
Bob. 

Since Bob knows the exact pure, seperable state he sent her, any entanglement-based attack cannot be launched by 
Alice. Moreover the no-cloning theorem [^6| prevents her from knowing the exact state Bob sent her. Were this not 
so, she could find out the exact state Bob sent her and cheat by unveiling some 9(i) in the wrong basis and claim any 
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outcome she likes. Thus, if she decides to switch her commitment in the unveiling phase, the best she can do is to flip 
some R'b(í) with outcome 1, and announce the dishonest R' B to Bob. But her probability for getting away without 
Bob noticing is 1/2. Therefore, if the scheme is implemented on s rounds, her probability for cheating successfully falls 
exponentially as . Alice's classical communication in step l(g) serves the crucial dual role of signaling Bob that 
the commitment phase is over, as well as binding Alice's to-be-unveiled commitment. This step is necessary because 
he cannot deduce based on local measurements whether she has measured or not. On the other, a mere intimation 
on her part is clearly insufficient, since she could simply lie that she measured, while actually intending to delay the 
decision on her commitment. It must bind her future unveiling, but without betraying b. Therefore, we expect that 
any proposed scheme that constrains outcomes of measurements- with the result that p B and pf slightly differ (eg., 
the BCJL scheme)- rather than measurement basis (eg., the BB84 scheme), permits a secure version along the lines 
given above. 



III. ENTANGLEMENT WEAKENS SECURITY AGAINST ALICE 

If Bob were to send Alice half of EPR pairs instead of the pure state \Rb) v , the above protocol would still be secure 
against EPR attacks by Alice. However, Alice can launch an MLC attack. To this end, she does not execute the 
measurement in l(e). For step l(g), Alice chooses a random photon for exclusion. Suppose each of Alice's remaining 
photons is half of an EPR pair in the state |</>) = ■^=(|0)+|0) + + |1+)|1) + ), the other half being sent to Bob. The 
2(n — 1) particle state is given by 

2 „-i 

\*)ab = 2-t"- 1 )/ 2 \3)a <8> \3)b (1) 
3=1 

in the + basis. The register A is sent to Alice, while B remains with Bob. Since the BCJL permits N = 2 n ~ 1 ■ 2 n ~ 2 
states encoding a given commitment, she augments register A she received from Bob by adding ancilla C, so that 
Tic ® TLa, the Hilbert space of the combined CA system, has the dimension N |Ï7| . 

2 „-i N 
\*)cab = 2-í- 1 )/ 2 fa)c ® \j)a ® \j)b = 2-í- 1 )/ 2 \fj)cA ® \j) B , (2) 

3=1 3=1 

where, for j > 2™ _1 , we set \j) s = 0, or null state, but retain the the |j)s's as before for j < 2™ _1 . 

We denote an ensemble of states in the BCJL scheme encoding commitment b = by {y/Wj\0j)} where 
J2jPj\Qj)(®j\ = Po ~ Tr^ (\&)ab(&\ab)- To produce it, she determines the N x N unitary mixing matrix U° 
such that: 

N 

2-C™- 1 )/ 2 |i) B =^í/^|0 fc ) B . (3) 
k=l 

Denoting \g 3 ) C A = J2k=i U jk\fk)cA, we rewrite Eq. @ as: 

WcAB = VpÏ\9i)ca ® \0j) B . (4) 

3=1 

By measuring in the basis of the AC system, she produces a state compatible with 6 = 0. On the other hand, 

to convince Bob she is committed to b = 1, starting from Eq. (|4|), Alice applies a unitary transformation to the CA 
register to produce an ensemble {■ y /qJ\lj) b} where J2j = P? ~ ^a {\&)ab (&\ab) on Bob's side. Such a 

transformation exists since p B » pf |ïï| [Ï3]| . Alternatively, she can directly determine the N x N unitary mixing 
matrix U 1 of her incremented system needed to generate {y^ll^s} state. 

The attack works if Alice knows the exact entangling state (\<j>), in this case) Bob used. Nevertheless, it is interesting 
that the danger of an MLC attack exists even when Bob prepares the state that is to encode Alice's commitment. 
The main lesson is that the use of entanglement in any form undermines the security of QBC against Alice. 
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IV. CONCLUSION 



The vicissitudes of QBC's fate are a bit remarkable and indicate its subtle nature. Are there simple fundamental 
causes why the present version of QBC succeeds? In answer, one might say, as in QKD: Heisenberg uncertainty, 
quantum no-cloning and "causality"- that Bob cannot deduce Alice's action without classical input from her. It is 
interesting that essentially the same properties of quantum information that guarantee security between collaborating 
parties in quantum key distribution [0 do the same even when the two parties are mutually distrustful. 
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